Users login

Create an account »


Users login

Home » Hacking News » Remote Compromise Vulnerability in Apache HTTP Server

Remote Compromise Vulnerability in Apache HTTP Server

by Nikola Strahija on June 17th, 2002 ISS X-Force has discovered a serious vulnerability in the default version of Apache HTTP Server. Apache is the most popular Web server and is used on over half of all Web servers on the Internet. It may be possible for remote attackers to exploit this vulnerability to compromise Apache Web servers. Successful exploitation may lead to modified Web content, denial of service, or further compromise.

Affected Versions:

Apache 1.x

Note: Many commercial Web Application Servers such as Oracle 9ias and
IBM Websphere use Apache HTTP Server to process HTTP requests.
Additional products that bundle Apache HTTP Server for Windows may be


The Apache HTTP Server is maintained by the Apache Software Foundation.
Apache is an extremely popular open-source Web server. Netcraft
( reports that as of May 2002, Apache accounts
for over 63% of all active Web sites. Apache’s installed base is larger
than all other Web servers combined.

The Apache Project is an open-source and volunteer collaboration aimed
to create and maintain a free, feature-rich, powerful, and secure Web
server implementation. Apache is well regarded as the best, freely
available Web server.

Apache contains a flawed mechanism meant to calculate the size of
"chunked" encoding. Chunked encoding is part of the HTTP Protocol
Specification used for accepting data from Web users. When data is sent
from the user, the Web server needs to allocate a memory buffer of a
certain size to hold the submitted data. When the size of the data being
submitted is unknown, the client or Web browser will communicate with
the server by creating "chunks" of data of a negotiated size.

The Apache HTTP Server has a software flaw that misinterprets the size
of incoming data chunks. This error may lead to a signal race, heap
overflow, and to exploitation of malicious code.

X-Force has verified that this issue is exploitable on Apache for
Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same
source code, but X-Force believes that successful exploitation on most
Unix platforms is unlikely.


Internet Scanner X-Press Update 6.12 includes a check,
ApacheChunkedEncodingBo, to detect installations of Apache HTTP Server
for Win32. XPU 6.12 is available from the ISS Download Center at: For questions about downloading and
installing this XPU, email [email protected]

Detection support for this attack will be included in future X-Press
Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will be
available from the ISS Download Center, and this alert will be updated
when these updates become available.

ISS X-Force has developed a patch for this issue. Follow the
instructions below, or contact your vendor for assistance:

To apply a source code patch to your Apache package:

1. Locate your source directory and navigate into the "main" sub-
2. Verify that "http_protocol.c" is present in the current directory.
3. To update your http_protocol.c file, create a file named
"apache_patch.diff", containing the following text:

- --- http_protocol.c.vuln Fri Jun 14 16:12:50 2002
+++ http_protocol.c Fri Jun 14 16:13:47 2002
@@ -2171,7 +2171,7 @@

/* Otherwise, we are in the midst of reading a chunk of data */

- - len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;
+ len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz : r->

len_read = ap_bread(r->connection->client, buffer, len_to_read);
if (len_read

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »